After the recent outbreak of a worm that hacked user Facebook accounts and disseminated through users contacts, Facebook responded with a post with advice to users on general tips about web security. Facebook head of security Max Kelly, a former FBI computer forensics examiner, wrote a blog post with advice to Facebook users including:
As a Facebook user you can help us protect you by doing the following things:
* Report any spam message or posting you see. The more reports we get, the easier it is for us to respond decisively.
* Never share your Facebook password with anyone. Never. No Facebook employee will ever ask for it, and no one else should know it. If you are ever prompted to log in to Facebook, make sure it’s from a legitimate Facebook web address. If something looks or feels off, go directly to www.facebook.com to log in.
Never entering your credentials on a non-Facebook site is very good advice, which most users should know by now and should adhere to. The problem is that Facebook do not seem to support these same principals when it comes to a users credentials from other sites, such as a users Google username and password, which Facebook requests when a user imports their contacts. The screenshot below is from Facebook, its the feature where a user can login to their Google, Hotmail or Yahoo account, from within the Facebook site, to retrieve their contacts.
This very feature directly contravenes what Facebook has stated in its own good security advice. While the message below the box does state that they do not store passwords, the point is more that the practice of users directly entering credentials from another site is a very poor design decision and generally very poor practice. Each one of the sites that Facebook integrates with supports oAuth or a similar authentication protocol that does not require the user to enter both their username and password. Better yet, most of those services also provide an API where the user can grant permission to Facebook to only access their address book, and not their whole email and certainly not every other service tied into it.
The Facebook security team have stated what is good practice on their blog, perhaps its time for them to direct their energies internally and evangelize support for oAuth and other open data formats as both a more secure and conveniant mechanism for data exchange.
This is the same advice any website gives you, including eBay who’s had this happen for years. It goes without saying.
@T3chlusive – You’re exactly right, the only people who will get this warning are the people who don’t need to be warned.
Most people don’t give out passwords anyways… it’s just something you don’t do…why would you?
http://blabtech.blogspot.com
Actually they do. I think there is a quote from someone (Arrington?): “People are willing to give up huge amount of privacy for just small incremental changes in user experience” or something like that.
Everyone knows that the weakest link is the human and their participation in the process. If we could just get rid of them!
@techdude
Umm…actually, no. People do this all the time. Tons of sites and services rely on you giving out your data, from lifestreaming sites, to twitter clients, to most apps that import your contacts. It’s getting worse, not better. Hopefully oAuth will help.
http://www.realeditor.com
BTW, Ryan, I have equity a plenty and a mighty LLC wax seal if you still wanna throw some capital our way. I cloned all the functionality in realeditor.com. It should go live tomorrow.
Oh, and I forgot about sites like Mint, that require you to give out the passwords to you financial institutions, which may seem stupid, but hundreds of thousands of people have done (maybe more by now).
Plus security questions. Convenience at the sake of protecting yourself.
I think you’re taking it too easy on them. They can’t send out a notice like this when they still ask for passwords to invite/find friends.
I’m pretty sure this is the definition of talking out of both sides of your mouth.
They also forgot to tell people what to do if it’s another site that looks exactly like FB.
you mean like plaxo?
Interesting how Facebook Connect sites ask users to enter their Facebook username/password directly onto untrusted sites. The password antipattern must end!
Nik,
Nice post.
Do you have any posts on oAuth? Have not previously heard of it.
Tech Crunch is a brand I trust and there are often some very smart comments from the readership of TC. Look forward to more high quality discussions.
ATB,
David
Good call. I hope the FB folks are reading this.
Facebook may owe at least a small part of their rapid growth to the address book feature; I doubt they’d really be that interested in taking it down.
Max, we should have a confidential chat.
The fact that they are hypocrites is one thing. But the Facebook API needs to add support for something like oAuth. Otherwise, us developers have no other option than to ask for username/password.
I wrote about this exact same issue in one of my recent posts: http://srmrt.bl...networking.html.
Since I was new to the social networking circle then and since none of the other social networks I knew of had done this to me (asking me my mail id and passwd to shamelessly login to my accounts) I walked into the FB trap. As soon I realized what FB had done to me (within moments, thankfully) I logged out of my FB account and never used it again.
Your post is aptly named.
It’s getting worse, not better. Hopefully oAuth will help.
Original.
It would appear that security and Facebook cannot be said in the same sentence. I think its something that needs correction.
http://www.magicathletics.org Magic Soccer Academy is a premier youth soccer academy located in Long Island, New York. The academy
Let me get this right – you actually have the nerve to complain about such a fair warning and the extra features from a free social networking site that is 10x better than most other social networking competition? LOOKS LIKE SOMEBODY NEEDS TO GET A LIFE.
I heard it’s only 9x better.
-
Let me get this right – you actually have the nerve to complain about such a fair warning and the extra features from a free social networking site that is 10x better than most other social networking competition? LOOKS LIKE SOMEBODY NEEDS TO GET A LIFE.
-
How exactly will this not get worse with Facebook Connect? You don’t think malicious sites are going to fake the login overlay to steal credentials?
Impossible! Never been done before!
Did you actually try this before you wrote about it? Because when you enter a Hotmail or Yahoo address, it does take you through those sites’ APIs.
I totally agree. Fortunately, I don’t use Facebook, so anything Facebook-privacy-related doesn’t worry me.
More people should start quitting Facebook.
The problem is: you might have difficulty in identifying what “we” are.
So, the advice should have been: Never Ever Enter Your Passwords on Another Sites, No Matter What So Ever.
Facebook is full of it…
Facebook does not care about it’s users, facebook cares only about facebook.
If facebook cared about their users they would completely review their terms of use and they would respect the people who are making them so big in the first place.
If facebook cared about its users they would not have allowed all these lame applications to be rolled out on their plate form to spam their users to generate traffic.
Facebook claims that they want to protect their users by asking them not to invite their friends to others good services. This is really funny when you think that the only reason that facebook actually exits is that they where the best at this viral mkt gig…
Mark, you have more money then you will ever be able to spend and still have fun. Respect your customer, make the world a better place and don’t be evil…
Cheers
my work recently blocked facebook. im trying to get into the site without actually having to go through facebook.com….just like we do for msn…i go to meebo.com and im able to access msn through there……………….anyone have any ideas as to what i can do??
Hey Anne,
How ’bout you work when you’re at work? They are paying you. You can fool around when you are off work.
Hey CB,
Thank you soo much for your input, however, these comments of yours are useless. Unless you have something usefull to say…keep it to yourself!
Have a great day!!!!!
Hi. I am a hacker. I can get you a facebook,aol,myspace, yahoo, gmail, hotmail….etc password. I do charge a fee to get a password. Once I do get password, I’ll send you proof I have it. Are you interested? E-mail me at Fordf202006@yahoo.com
**I cannot recover a lost/stolen/forgotten password**
Hi, i think you’re taking it too easy on them.
Facebook is a free-access social networking website that is operated and privately owned by Facebook, Inc. Users can join networks organized by city, workplace, school, and region to connect and interact with other people. However, more users cause even more problems!.. read more http://gawker.c...e-more-problems
Wonder how Facebook connect sites asking users to enter their Facebook username/password directly onto untrusted sites. It must be dangerous..